Intrusions

Events associated with this classification taxonomy are related to incidents where the system or service was compromised. This can be performed remotely through a (newly) known or unknown vulnerability, or by an unauthorized local access.

Events with this classification type identify a system that seems to allow access through a Backdoor. A backdoor is usually referring to an access method that bypasses the normal authentication method of the system or service.

Such methods can be installed for malicious purposes, i.e. accessing and changing the system or service without being notice. But many products might have a legitimate vendor backdoor built in to perform maintenance or testing the product. The problem is that such backdoors often share the (weak) credentials, which sooner or later become public knowledge, essentially allowing anyone to access the device or service. Therefore, affected systems may include servers, workstations, networking equipment, mobile phones, etc.

The system identified by source most likely possesses backdoor, allowing to remotely access the system or service. The system should be regarded as compromised, until further investigation has proven otherwise.

Recommendations:

Change the access credentials of potentially affected users.

Scan the system for malicious software. Offline scan from CD or USB if possible.

Check the logs for unusual behavior.

Update the software running on the system.

Check for known vulnerabilities for any service running on the system. Apply the patches and/or configuration changes.

Events with this classification type identify a compromised system or service. While this is a very generic classification, it commonly refers to a compromised website hosted on the reported system.

The underlying root cause can vary and might include sending spam, participating in DDoS attacks, redirecting users to exploit kits etc. A large subset of these compromises are caused by outdated versions of Content Management Systems such as Joomla/Drupal/Wordpress (or plugins for these) and weak or keylogged FTP credentials.

The system identified by source is most likely compromised. If available we include additional information like a classification identifier or extra information. The system should be regarded as compromised, until further investigation has proven otherwise.

Recommendations:

Get professional assistance from your hosting provider or webmaster to remove the content.

Change the access credentials of potentially affected users.

Scan the system for malicious software. Offline scan from CD or USB if possible.

Check the logs for unusual behavior.

Update the software running on the system.

Check if there is known vulnerability for any service running on the system. Apply the patches or configuration changes.

Events with this classification type contain defaced websites. This is an attack on the visual appearance of the website.

The result can range from relatively harmless 'tagging' over electronic vandalism to spreading political messages, usually opposing the content of the original site. Such activity is usually associated with hacktivism.

The most common method is to gain administrative access on the service by using vulnerabilities or directly access the data through FTP once the username and password are obtained. In any case the system and/or service should be regarded as compromised.

The system identified by source most likely hosts a defaced website. The system should be regarded as compromised, until further investigation has proven otherwise.

Recommendations:

Get professional assistance from your hosting provider or webmaster to remove the content.

Restrict access to the website immediately.

Change the access credentials of potentially affected users.

Scan the system for malicious software. Offline scan from CD or USB if possible.

Check the logs for unusual behavior.

Update the software running on the system.

Check if there is known vulnerability for any service running on the system. Apply the patches or configuration changes.